Tuesday, July 17, 2012

Blame the management

I'm not the first person to say this, but I really can't stress it enough: security starts with management. No matter how smart or well-intentioned the employees are, management has to drive security. Without management support and pressure, individual efforts lack consistency, security measures don't align properly with the business, and, perhaps most important, the incentives are all wrong. And, when an organization fails at security, it's management's fault.

Incentives

If developers are rewarded for improving the functioning or performance of the company's software, but not for finding or fixing security vulnerabilities, what will they spend their time on? Reviewing code for security vulnerabilities is time-consuming; why would a developer spend his spare time looking for problems that nobody cares about? Why should he replace the MD5 password hashing scheme the company has been using with one that is slower? MD5 works fine.Consistency

At best, the company may have a few developers who understand and care about security. These people will filter user input and parameterize SQL queries, but what about everyone else? What about the other, possibly very talented, developers who just don't think about security? What about the new guy fresh from college who just hasn't been exposed to secure coding practices yet?

Management can push for and enforce standards. They can get some of the developers together with the security guys have have them come up with coding standards that all developers will be expected to follow. They can request money for training and books. They can get the local gurus to develop in-house training. The developers, for the most part, can't do this. Most of them are only responsible for their own efforts. Even in a team leader role, an individual developer has limited influence.

Business

Management are also in the best position to assess the business impact of security risks and to decide how the company should align their security practices with the business. Consider a bank for instance. Banks want to prevent electronic theft, but that's not their only defense. Banks are good at following money and getting it back. I read recently that banks succeed in recovering about 80% of what they lose. That's not perfect, but it's pretty good. They also have a built-in detection capability in that people tend to report money missing from their accounts, especially if it's relatively significant to their finances. This is important because it changes the risk assessment and the ROI for preventative security. On the other hand, banks are still subject to various ID theft and disclosure laws so this has to be factored in as well. This is management's responsibility to figure out. It's not the job of the IT and security folks to decide what is best for the business and then go do it.